CVE-2026-53857: OpenClaw display name spoofing

CISO Take

OpenClaw's Zalo integration trusts mutable display names — not stable user IDs — to enforce its allowFrom policy, meaning any Zalo user who adopts the display name of an authorized contact can receive that contact's agent responses and trigger its actions. The attack requires only a standard Zalo account and no user interaction (CVSS 8.1, AC:L), making it exploitable by any Zalo user with knowledge of an authorized display name — zero technical sophistication required. EPSS data is not yet available and no active exploitation has been observed, but the trivial exploitation path combined with High confidentiality and integrity impact demands immediate attention for any agentic deployment routing sensitive data or workflow execution through Zalo. Upgrade to OpenClaw ≥ 2026.5.3 immediately; as a short-term workaround, disable the Zalo allowFrom feature or enforce identity binding on stable Zalo UIDs rather than mutable display metadata.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk for any organization running OpenClaw with Zalo integration and allowFrom policies enabled. Exploitation is trivial — it requires only a Zalo account and the ability to change one's display name, a capability available to all standard Zalo users with no technical barrier. The vulnerability is network-exploitable with no user interaction required. Because AI agents frequently carry elevated privileges — data retrieval, tool invocations, workflow execution — a policy bypass at the identity layer has blast radius far exceeding a typical web application authentication bypass. Organizations not using the Zalo channel integration are unaffected.

How does the attack unfold?

Reconnaissance

Attacker probes the target organization's OpenClaw agent via Zalo or observes public-facing agent interactions to enumerate the display names of authorized contacts in the allowFrom policy.

AML.T0087

Identity Spoofing

Attacker renames their own Zalo display name to exactly match an authorized contact's display name, exploiting the fact that OpenClaw's policy engine uses mutable metadata as the authorization signal.

AML.T0073

Policy Bypass

OpenClaw's allowFrom policy engine matches the attacker's spoofed display name against its authorized list and grants access, treating the attacker as the legitimate authorized identity.

AML.T0049

Unauthorized Access and Execution

Attacker receives agent responses, sensitive data outputs, or invokes agent tools and automated workflows intended exclusively for the impersonated authorized identity.

AML.T0053

Reconnaissance

Attacker probes the target organization's OpenClaw agent via Zalo or observes public-facing agent interactions to enumerate the display names of authorized contacts in the allowFrom policy.

AML.T0087

Identity Spoofing

Attacker renames their own Zalo display name to exactly match an authorized contact's display name, exploiting the fact that OpenClaw's policy engine uses mutable metadata as the authorization signal.

AML.T0073

Policy Bypass

OpenClaw's allowFrom policy engine matches the attacker's spoofed display name against its authorized list and grants access, treating the attacker as the legitimate authorized identity.

AML.T0049

Unauthorized Access and Execution

Attacker receives agent responses, sensitive data outputs, or invokes agent tools and automated workflows intended exclusively for the impersonated authorized identity.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch immediately: Upgrade to OpenClaw ≥ 2026.5.3.
Short-term workaround: Disable the Zalo allowFrom feature entirely if patching cannot be applied immediately.
Identity binding verification: Confirm the patched version enforces policy matching on stable Zalo UIDs rather than mutable display names before re-enabling the feature.
Retroactive audit: Review agent interaction logs for Zalo contacts whose display names match allowFrom entries but whose UIDs differ from expected authorized users — this may surface prior exploitation.
Detection: Implement alerting on display name changes for Zalo contacts present in your allowFrom policy list.

How is it classified?

Auth Bypass Social Engineering Data Leakage Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0073 - Impersonation AML.T0074 - Masquerading AML.T0087 - Gather Victim Identity Information

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability and authorization structures

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53857?

OpenClaw's Zalo integration trusts mutable display names — not stable user IDs — to enforce its allowFrom policy, meaning any Zalo user who adopts the display name of an authorized contact can receive that contact's agent responses and trigger its actions. The attack requires only a standard Zalo account and no user interaction (CVSS 8.1, AC:L), making it exploitable by any Zalo user with knowledge of an authorized display name — zero technical sophistication required. EPSS data is not yet available and no active exploitation has been observed, but the trivial exploitation path combined with High confidentiality and integrity impact demands immediate attention for any agentic deployment routing sensitive data or workflow execution through Zalo. Upgrade to OpenClaw ≥ 2026.5.3 immediately; as a short-term workaround, disable the Zalo allowFrom feature or enforce identity binding on stable Zalo UIDs rather than mutable display metadata.

Is CVE-2026-53857 actively exploited?

No confirmed active exploitation of CVE-2026-53857 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53857?

1. Patch immediately: Upgrade to OpenClaw ≥ 2026.5.3. 2. Short-term workaround: Disable the Zalo allowFrom feature entirely if patching cannot be applied immediately. 3. Identity binding verification: Confirm the patched version enforces policy matching on stable Zalo UIDs rather than mutable display names before re-enabling the feature. 4. Retroactive audit: Review agent interaction logs for Zalo contacts whose display names match allowFrom entries but whose UIDs differ from expected authorized users — this may surface prior exploitation. 5. Detection: Implement alerting on display name changes for Zalo contacts present in your allowFrom policy list.

What systems are affected by CVE-2026-53857?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Messaging platform integrations, Policy-based access control in agents, Multi-channel agent deployments.

What is the CVSS score for CVE-2026-53857?

CVE-2026-53857 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMessaging platform integrationsPolicy-based access control in agentsMulti-channel agent deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0073 Impersonation

AML.T0074 Masquerading

AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

Exploitation Scenario

A threat actor targets an organization using OpenClaw to automate internal data retrieval via Zalo. The attacker, holding a standard Zalo account, interacts with the organization's visible Zalo presence or monitors public-facing agent responses to identify the display name of an authorized contact in the allowFrom policy. The attacker renames their own Zalo display name to match that contact's name. When the attacker messages the OpenClaw agent, the policy engine matches the spoofed display name against the allowFrom list, grants access, and the attacker receives — or can actively request — sensitive intelligence reports, internal briefings, or triggers automated workflows that the legitimate authorized user would have access to, all without ever compromising the real user's account.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing Primary

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.